executing-plans
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by consuming and executing instructions from an external plan file.
- Ingestion points: Step 1 involves reading a plan file from the local workspace.
- Boundary markers: The skill lacks explicit instructions or delimiters to isolate the plan's content from the agent's core instructions, potentially allowing a malicious plan to override behavior.
- Capability inventory: The skill is designed to execute tasks, run verifications, and apply changes, providing a significant capability surface for any instructions contained in the plan.
- Sanitization: No sanitization, validation, or safety filtering of the ingested plan content is specified.
- [COMMAND_EXECUTION]: The skill's core purpose is the execution of tasks and verifications defined in an external plan. This mechanism can be used to execute arbitrary commands if the source plan file is compromised or contains malicious instructions, especially given the directive to follow steps 'exactly'.
Audit Metadata